[Freeipa-users] Kerberos hanging

Wed Mar 1 13:30:26 UTC 2017

Hi Terry,

> I've no idea why this keeps happening, everything looks ok then it just stops

Check time an date on all involved servers/workstations - if the
difference is more than 300 seconds , Kerberos might not work
correctly. Apply the same time to all involved servers/workstations.

Regards,

Gerald

On Wed, Mar 1, 2017 at 1:25 PM, Terry John <Terry.John at coxauto.co.uk> wrote:
> I have a problem using freeipa version 3.0.0-50 on CentOS release 6.8. The problem manifests itself as no authentication, and no DNS.
>
> It seems Kerberos just stops responding to requests and requests just get queued up
> # netstat -tuna | grep SYN_RECV
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address               Foreign Address             State
> tcp        0             0           <server IP>:88               <client1 IP>:55440         SYN_RECV
> tcp        0             0           <server IP>:88               <client 2 IP>:40076        SYN_RECV
> tcp        0             0           <server IP>:88               <Client 3 IP>:41525        SYN_RECV
> tcp        0             0           <server IP>:88               <Client4 IP>:53958         SYN_RECV
> tcp        0             0           <server IP>:88               <Client5 IP>:54240         SYN_RECV
>
> Looking at /var/log/krb5kdc.log
> The normal activity of AS_REQ and TGS_REC messages just stops. No error messages. Just  no new messages.
>
> In /var/log/messages the named server reports messages like
> Mar  1 00:00:23 freeipa named[18989]: LDAP error: Can't contact LDAP server
> Mar  1 00:00:23 freeipa named[18989]: connection to the LDAP server was lost
> Mar  1 00:00:23 freeipa named[18989]: bind to LDAP server failed: Can't contact LDAP server
>
> The command "kinit" is totally unresponsive and will time out if you wait long enough.
>
> If I try to restart ipa with "service ipa restart", it hangs on the first stage, trying to stop DIRSRV.
> I have to do a "ps ax" and look for this line.
> 2758 ?        Sl     2:13 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-MY-REALM -i /var/run/dirsrv/slapd-MY-REALM.pid -w /var/run/dirsrv/slapd-MY-REALM.startpid
>
> Then I have to a "kill -9" on the pid
> Then I can do "service ipa restart"
>
> After that it works ok for a while. "A while" may be a few minutes or several hours.
> The filesystem is only 58% used and "free" shows no swap in use so there seems to be plenty of RAM available.
> "top" shows CPU(s) 96% idle with "dirsirv" typically using about 3%CPU at most
>
> I've no idea why this keeps happening, everything looks ok then it just stops
>
> Terry John
> System Administrator- Cox Automotive Software
> E: Terry.John at coxauto.co.uk
>
>
>
> Cox Automotive group of companies within the UK comprises: Cox Automotive UK Limited (registered number: 03183918), Manheim Limited (registered number: 00448761), Cox Automotive Retail Solutions Limited (registered number: 02838588), Motors.co.uk Limited (registered number: 05975777), and Real Time Communications Limited (registered number: 04277845). Each of these companies is registered in England and Wales with the registered office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Cox Automotive group of companies within the UK operates under various brand/trading names including Cox Automotive UK, Manheim Inspection Services, Manheim Auctions, Modix, Xtime and Closeit.
>
> V:0CF72C13B2AD
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project